HB Ad Slot
HB Mobile Ad Slot
GDPR Countdown: Just Days until May 25
by: Jennifer Schaller  -  National Law Review News
Monday, May 21, 2018

What is the GDPR?

The EU General Data Protection Regulation is the EU’s most important data and privacy policy change in the past 20-years. GDPR was approved by the EU Parliament on April 14, 2016, with an effective date of May 25, 2018. GDPR will replace the Data Protection Directive 95/36/EC, in an effort to create concerted privacy laws throughout the EU, increase privacy protections for citizens, and limit the ways in which companies can collect personal data. With every other story in the news dealing with privacy concerns, data breaches; and major class actions stemming from these cybersecurity missteps against big name companies; data privacy is imperative for all companies to prioritize.  The GDPR goes into effect on May 25, 2018.  Is your company ready?

Who is Impacted by GDPR?

Many US companies are asking if they are impacted by GDPR--and the answer is yes, US companies are liable to GDPR provisions in many instances.  In fact, an important piece of GDPR is understanding who is impacted by GDPR, and the geographical scope is much larger than it may seem at first brush.  GDPR provides data protection and privacy for EU citizens, and it applies to all companies who are offering goods and services to the EU.  So even if your company is not based in the EU, you are liable to the regulations if you are collecting data from EU citizens, even if no financial transaction takes place.  If your company is collecting any kind of PII--Personally Identifiable Information--from EU citizens, the broader scope of the law kicks in. 

An Explanation of Some Key GDPR Terminology

In order to comply with the provisions of GDPR, it’s important to understand the data terminology used by the regulations. Below are some of the major terms, defined.

Who is a Data Processor and Who is a Data Controller?

A scenario, if your company XXX, sells a product to EU consumers and uses Ape Bulk emailing system to email EU clients or potential clients on behalf of XXX and Ape tracks readership and engagement, and other email activity data, your company XXX is the data controller, and Ape Bulk emailing system is the data processor.  This can be construed even broader if your firm has a website which EU subjects can access, the personal data regulations may be triggered if you have any type of readership analytics associated with your website.

Whether your company is a data controller or data processor matters, but you’re not off the hook for GDPR compliance if you are a data controller. Generally, GDPR treats the data controller as the responsible principal party for collecting consent, managing the revoking of consent, and enabling data access.   A data subject who wishes to revoke consent for his or her personal data therefore will contact the data controller to initiate the request, even if such data lives on servers belonging to the data processor. The data controller, upon receiving this request, would then proceed to request the data processor remove the revoked data from their servers. However,  Article 28 Sec requires data controllers to select only those data processors that can provide sufficient guarantees that the processor will comply with the GDPR and implement “appropriate technical and organizational measures” to protect the data. So controllers are legally obligated to select processors that are prepared for GDPR compliance.

Data processing under GDPR extends to several activities. These include operation(s) of personal data or sets of personal data, to include storing data, retrieval, erasure or destruction, or otherwise adapting or altering data sets. The use of legal contracts in a business setting, collection of employee information to provide to government agencies for tax filing (or other purposes), performing an internal administrative process (internal payroll services), or processing data to collect payment information, are some instances when data processors and controllers may process data, without the data subject’s consent. This applies regardless of industry-sector.

To be clear, while data processors are doing the work of complying with privacy regulations, data controllers are liable for selecting data processors that can comply with those regulations.  If the Data Processor does not adequately perform the tasks required by GDPR, the Data Controller is responsible-and liable.  Liable to the tune of Up to €20 million… or four percent of your total worldwide annual turnover of the previous financial year, whichever is higher. 

Will the UK Be Affected by GDPR with the Impending Brexit Split?

As previously discussed, any company which operates in the EU, sells to EU residents, or collects data, privacy, and personal information from EU citizens will be subject to  GDPR. Although Brexit has been finalized, UK companies are still affected by GDPR, as the UK will remain a member-state through March 2019.

Once Brexit occurs, the UK will be treated as a third-party country, which will still be affected by GDPR policies, if the country engages in the collection of personal information, research, or other services with EU-member state residents.


GDPR is meant to synthesize data regulations across the EU, to create a more hospitable environment for business by making data requirements uniform--to smooth out data transfers across the European Union.  Along with making the requirements consistent, the regulation is also designed to make sure EU citizens are offered a high level of data protection in today’s privacy-conscious world.  Ultimately, these regulations are designed to facilitate business in the EU, and many analysts believe that the regulations--while initially onerous--will ultimately benefit businesses operating in the digital sphere.

In the meantime, compliance is essential.  In our next installment, we will look at cookie disclosures and contract requirements, to help  data Controllers make sure data processors are compliant.  In our third installment, we will take a look at breach notification requirements under GDPR.

HB Ad Slot
HB Mobile Ad Slot
HB Ad Slot
HB Mobile Ad Slot
HB Ad Slot
HB Mobile Ad Slot

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins


Sign Up for e-NewsBulletins